#npm
27 stories taggednpm · page 2 of 2.

Poisoned npm Package Stole OpenAI Codex Tokens — and the GitHub Repo Looked Fine
codexui-android published clean source code while shipping malicious artifact builds that harvested refresh tokens. The gap between repo and registry is where the attack lived.

Miasma Attack Targets Red Hat Packages
Supply chain breach deploys credential-stealing worm through compromised npm packages.

Malicious npm Package codexui-android Pulls 29K Weekly Downloads, Targets OpenAI Codex Tokens
A package posing as a remote web UI for OpenAI Codex is harvesting developer credentials. It's still live on npm and GitHub.

GlassWorm Is Down. The Repository Problem Isn't.
CrowdStrike, Google, and Shadowserver severed four C2 channels simultaneously. Meanwhile, 157 OSV false positives quietly eroded trust in the tools defenders depend on.

CrowdStrike, Google and Shadowserver Pull the Plug on GlassWorm's C2
A coordinated takedown severed every known command channel of the developer-targeting worm — for now.

The npm Package That Reached Into Claude's Sandbox
A bait package called mouse5212-super-formatter quietly siphoned files from the directory Anthropic's Claude uses to handle user uploads, exfiltrating them to a GitHub repo controlled by the author.

Glassworm's blockchain command channel went down. Nobody will say who pulled the plug.
Researchers say the developer-targeting botnet is offline after its Solana and BitTorrent DHT C2 was disrupted. The mechanics of the takedown, and who authorised it, remain unexplained.

Your CI Pipeline Is Already Too Late — CVE Lite CLI Disagrees With Your Entire Workflow
An OWASP-backed JavaScript dependency scanner built by Sonu Kapoor wants to catch vulnerable packages the moment a developer types the install command, not when the build breaks at 2 a.m.

TrapDoor: The Supply Chain Campaign That Wants Your Whole Dev Environment, Not Just Your Secrets
A cross-registry malware campaign hitting npm, PyPI, and Crates.io is going after CI/CD pipelines, SSH trust chains, and AI coding assistant files — not just credentials on install.

The Boring Attacks Are Winning: Why Defenders Keep Losing to Trusted Tools
Leaked tokens, poisoned npm packages, and login replays are doing more damage than zero-days this quarter. Here is how to spot the pattern before it spots you.

TrapDoor Campaign Plants Credential Stealers Across npm, PyPI, and Crates.io
A coordinated operation seeded 34+ malicious packages across three registries since May 2026. If you ship code, this one is sitting in your dependency tree right now.

npm Introduces Staged Publishing With Mandatory 2FA Gate for Maintainer Approval
GitHub's package registry now requires a human maintainer to clear a two-factor challenge before a release leaves a staging area, a control aimed at the supply chain attacks that have repeatedly compromised the JavaScript ecosystem.